SQL or Structures Query Language is a programming language designed to handle databases in a relational database management system (RDBMS). It is used by many websites and software to handle database. It can be used to access, modify, delete and add data. It can in some special cases also be used to run some Operating System commands.
SQLi or SQL injection is a code injection technique used to attack such applications that use SQL database. A SQLi attack can be used by an attacker to bypass a web application’s authorization and authentication and gain admin access to a database. Attacker can then access, modify, delete and add data from the database. Using this, hackers can download entire user database stored on sites containing passwords, history and other information.
In order to execute a SQLi two conditions need to exist, the database should be in SQL and a user controllable input should be present which is directly used in SQL query. Firstly the attacker needs to find an input in the application that is included inside an SQL query. The web application needs to include user inputs as part of SQL query and run it against its server. For example a scripts comparing username and passwords of user against a database can be exploited by setting the password field to password’ or 1=1. What this will do is alter the SQL statement being run to compare usernames and passwords into giving authentication bypass to the first account in the database which is mostly the administrative user.
To prevent a SQLi you should make sure not to insert user input without any modification or check into an SQL query with prepared statements and parameterized queries. You have two options to achieve this, either to use PHP Data Objects or MYSQL.